No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Service

CloudEngine 8800, 7800, 6800, and 5800 V200R003C00

This document describes the configurations of IP Service, including IP address, ARP, DHCP, DNS, IP performance optimization, IPv6, DHCPv6, and IPv6 DNS.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPv6 SEND

Example for Configuring IPv6 SEND

Networking Requirements

As shown in Figure 7-17, IPv6 SEND is configured on Switch A to ensure its security. When a network device not enabled with IPv6 SEND, such as Switch B, sends messages to Switch A, Switch A regards them invalid and discards them.

Figure 7-17 Networking diagram for configuring IPv6 SEND

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a CGA IPv6 address and a common IPv6 address on Switch A.

  2. Enable the strict security mode on an interface of Switch A.

  3. Configure an IPv6 address for an interface on Switch B.

Procedure

  1. Configure a CGA IPv6 address on Switch A.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] commit
    [~SwitchA] rsa key-pair label huawei
    [*SwitchA] interface 10ge 1/0/1
    [*SwitchA-10GE1/0/1] undo portswitch
    [*SwitchA-10GE1/0/1] ipv6 enable
    [*SwitchA-10GE1/0/1] ipv6 security rsakey-pair huawei
    [*SwitchA-10GE1/0/1] ipv6 security modifier sec-level 1
    [*SwitchA-10GE1/0/1] ipv6 address fe80::3 link-local cga
    [*SwitchA-10GE1/0/1] ipv6 address fc00:2::/64 cga
    [*SwitchA-10GE1/0/1] ipv6 address fc00:1::1/64

  2. Enable the strict security mode on an interface of Switch A.

    [*SwitchA-10GE1/0/1] ipv6 nd security strict
    [*SwitchA-10GE1/0/1] commit

  3. Configure an IPv6 address of Switch B.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchB
    [*HUAWEI] commit
    [~SwitchB] interface 10ge 1/0/1
    [~SwitchB-10GE1/0/1] undo portswitch
    [*SwitchB-10GE1/0/1] ipv6 enable
    [*SwitchB-10GE1/0/1] ipv6 address auto link-local
    [*SwitchB-10GE1/0/1] ipv6 address fc00:2::2/64
    [*SwitchB-10GE1/0/1] ipv6 address fc00:1::2/64
    [*SwitchB-10GE1/0/1] commit

  4. Verify the configuration.

    If the configuration is successful, you can view that the IPv6 address and IPv6 SEND have been configured and the interface status and IPv6 protocol status are Up.

    # View information about 10GE 1/0/1 on Switch A.

    [~SwitchA-10GE1/0/1] display this ipv6 interface
    10GE1/0/1 current state : UP
    IPv6 protocol current state : UP
    IPv6 is enabled, link-local address is FE80::3057:B5D6:6BD6:6CA8
      Global unicast address(es):
        FC00:1::1, subnet is FC00:1::/64
        FC00:2::2092:84CE:827B:D5A4, subnet is FC00:2::/64
      Joined group address(es):
        FF02::1:FF00:1
        FF02::1:FF7B:D5A4
        FF02::1:FFD6:6CA8
        FF02::2
        FF02::1
      MTU is 1500 bytes
      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 1200000 milliseconds
      ND retransmit interval is 1000 milliseconds
      Hosts use stateless autoconfig for addresses

    # View the IPv6 SEND configuration on 10GE 1/0/1 of Switch A.

    [~SwitchA-10GE1/0/1] display ipv6 security interface 10ge 1/0/1
     (L) : Link local address
     SEND: Security ND
     SEND information for the interface : 10GE1/0/1
    ----------------------------------------------------------------------------
     IPv6 address                                   PrefixLength Collision Count
    ----------------------------------------------------------------------------
     FE80::3057:B5D6:6BD6:6CA8 (L)                  10           0
     FC00:2::2092:84CE:827B:D5A4                    64           0
    ----------------------------------------------------------------------------
     SEND sec value : 1
     SEND security modifier value : 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D
     SEND RSA key label bound : huawei
     SEND ND minimum key length value : 512
     SEND ND maximum key length value : 2048
     SEND ND Timestamp delta value : 300
     SEND ND Timestamp fuzz value : 1
     SEND ND Timestamp drift value : 1
     SEND ND fully secured mode : enable

    # View information about 10GE 1/0/1 on Switch B.

    [~SwitchB-10GE1/0/1] display this ipv6 interface
    10GE1/0/1 current state : UP
    IPv6 protocol current state : UP
    IPv6 is enabled, link-local address is FE80::2E0:E6FF:FE13:8100
      Global unicast address(es):
        FC00:1::2, subnet is FC00:1::/64
        FC00:2::2, subnet is FC00:2::/64
      Joined group address(es):
        FF02::1:FF00:2
        FF02::1:FF13:8100
        FF02::2
        FF02::1
      MTU is 1500 bytes
      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 1200000 milliseconds
      ND retransmit interval is 1000 milliseconds
      Hosts use stateless autoconfig for addresses

    # Ping the CGA link-local address of Switch A from Switch B. The ping fails because IPv6 SEND is configured on Switch A.

    [~SwitchB-10GE1/0/1] ping ipv6 FE80::3057:B5D6:6BD6:6CA8 -i 10ge 1/0/1
      PING FE80::3057:B5D6:6BD6:6CA8 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- FE80::3057:B5D6:6BD6:6CA8 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms

    # Ping the CGA global unicast address of Switch A from Switch B. The ping fails because IPv6 SEND is configured on Switch A.

    [~SwitchB-10GE1/0/1] ping ipv6 FC00:2::2092:84CE:827B:D5A4
      PING FC00:2::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- FC00:2::2092:84CE:827B:D5A4 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms

    # Ping the common global unicast address of Switch A from Switch B. The ping fails because IPv6 SEND is configured on Switch A.

    [~SwitchB-10GE1/0/1] ping ipv6 FC00:1::1
      PING FC00:1::1 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- FC00:1::1 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms

    # Disable IPv6 SEND on Switch A. The ping from Switch B to Switch A is successful. The following part provides an example of pinging the CGA global unicast address of Switch A.

    [~SwitchA-10GE1/0/1] undo ipv6 nd security strict
    [*SwitchA-10GE1/0/1] commit
    [~SwitchB-10GE1/0/1] ping ipv6 FC00:2::2092:84CE:827B:D5A4
      PING FC00:2::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break
        Reply from FC00:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=1 hop limit=64  time = 1 ms
        Reply from FC00:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=2 hop limit=64  time = 20 ms
        Reply from FC00:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=3 hop limit=64  time = 1 ms
        Reply from FC00:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=4 hop limit=64  time = 1 ms
        Reply from FC00:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=5 hop limit=64  time = 1 ms
    
      --- FC00:2::2092:84CE:827B:D5A4 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/4/20 ms

Configuration Files

  • Configuration file of SwitchA

    #
    sysname SwitchA
    #
    interface 10GE1/0/1
     undo portswitch
     ipv6 enable
     ipv6 security rsakey-pair huawei
     ipv6 security modifier sec-level 1
     ipv6 address FC00:1::1/64
     ipv6 address FC00:2::/64 cga
     ipv6 address FE80::3 link-local cga
     ipv6 nd security strict
    #
    return
  • Configuration file of SwitchB

    #
    sysname SwitchB
    #
    interface 10GE1/0/1
     undo portswitch
     ipv6 enable
     ipv6 address FC00:1::2/64
     ipv6 address FC00:2::2/64
     ipv6 address auto link-local
    #
    return
Translation
Download
Updated: 2019-05-08

Document ID: EDOC1100004354

Views: 68801

Downloads: 147

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next